在java web编程中,经常使用shiro来管理session,也确实好用
- shiro来获取session的方式
SecurityUtils.getSubject().getSession()
其中SecurityUtils的getSubject代码如下
/**
* Returns the currently accessible {@code Subject} available to the calling code depending on
* runtime environment.
* <p/>
* This method is provided as a way of obtaining a {@code Subject} without having to resort to
* implementation-specific methods. It also allows the Shiro team to change the underlying implementation of
* this method in the future depending on requirements/updates without affecting your code that uses it.
*
* @return the currently accessible {@code Subject} accessible to the calling code.
* @throws IllegalStateException if no {@link Subject Subject} instance or
* {@link SecurityManager SecurityManager} instance is available with which to obtain
* a {@code Subject}, which which is considered an invalid application configuration
* - a Subject should <em>always</em> be available to the caller.
*/
public static Subject getSubject() {
Subject subject = ThreadContext.getSubject();
if (subject == null) {
subject = (new Subject.Builder()).buildSubject();
ThreadContext.bind(subject);
}
return subject;
}
Subject subject = ThreadContext.getSubject();
获取进程上下文,这个存在了问题,如果在使用线程池,获取的就是线程池里面的session,如果线程池为配置过期时间,那么线程池里面的线程一直不变,就会出现在线程池里面getsession就会是上一次的session,导致获取session失败
线程池原理可参考